Sandro Gauci, founder of EnableSecurity, has revealed that six years on from his 2002 report into extended HTML form attacks the problem has simply refused to go away.
The original report included details of how attackers could abuse non-HTTP protocols in order to launch Cross Site Scripting attacks, even in a situation where the target web application was not itself vulnerable to XSS. This applied to most web browsers at the time. Now, he says, not much has changed.